I am told by our server admins, that our server has no DNS resolutions because they are under tight PCI DSS regulations for outbound data. I don't quite understand this because the server is used to host a website which all can access from the URL, but when I logon via Remote Desktop onto the server, I can't use the internet from the server i.e it can serve data but can't send outbound data. How is this possible? How can it have access to the internet by sending http data to and fro, but can't resolve DNS names?

2 Answers
2

Generally in this situation the firewall is configured to do a couple things:

Only allow inbound connections on specific service ports (HTTP and HTTPS).

Only allow outbound connections that are related to inbound connections (ie. the response to clients' HTTP requests). In many cases the DNS requests are explicitly blocked.

This prevents the server from making its own connections to other IP addresses, including preventing connections to DNS servers for the purpose of DNS lookup. This is one way of stopping malicious code on the server from transferring data elsewhere and from downloading other data. It also stops server administrators from being able to 'browse the web' on the server, which they definitely shouldn't be doing anyway.

When an inbound TCP connection arrives the header of the initial packet has the SYN bit set. This indicates that it is the first packet in a new TCP stream. Now should the firewall permit it in, for instance to port 80, then a "state" is created and applied to all further packets in the same stream. Any packets matching this state will be further permitted by the firewall which includes responses being sent from the server to the client.

The tracking of UDP and ICMP connections is a little more fuzzy because fundamentally they are connectionless. They don't contain any of the stream information found in a TCP session. But it works more or less the same way.

With that in mind, your outbound DNS lookups are being firewalled off because the connections are initiating from the inside. Whereas HTTP traffic is initiating from the outside and being permitted in by policy.